Layer 3 VPN / VLAN

Technical Write-Up

Advantech Satellite Networks

Layer 3 VPN / VLAN
Technical Write-Up

Date: 10 October 2006

 Layer 3 VPN / VLAN
Technical Write-Up

Revision History

Revision Date Description

Rev 1-0 10 October 2006 First Revision

 Layer 3 VPN / VLAN
Technical Write-Up

Table of Contents

LAYER 3 VPN / VLAN.................................................................................................................................. 5

March 2006 Advantech Satellite Networks Proprietary Page 3

 Layer 3 VPN / VLAN
Technical Write-Up

List of Figures

Figure 1 Layer 3 Site-to-Site VPN with the Advantech Satellite Network..................................................... 5

Figure 2 VPN address spaces management in the Advantech Satellite Network ........................................ 6
Figure 3 Cisco 2811 Integrated Services Router.......................................................................................... 7
Figure 4 IP addresses resource allocation in the Satellite Network............................................................. 8

March 2006 Advantech Satellite Networks Proprietary Page 4

 Layer 3 VPN / VLAN
Technical Write-Up

LAYER 3 VPN / VLAN

A Virtual Private Networks (VPN) allows the provisioning of private networks services for an organization
or organizations over a public or shared infrastructure such as the Internet or service provider backbone
networks. The shared service provider backbone network is known as the VPN backbone and is used to
transport traffic for multiple VPNs, as well as possibly non-VPN traffic.

One type of widely used VPN is called Layer 3 VPN. Layer 3 site-to-site VPNs interconnect hosts and
routers at separate customer sites. These customer hosts and routers communicate based on Layer 3
(network layer) addressing, and Provider Edge (PE) devices forward traffic based on incoming interface,
and on addresses contained in the IP header.

Branch Office VPN Backbone

Head Office
Remote-side device
(VPN aware: tunnel enpoints)

VLAN
tagged or
Customer device untagged
(VPN unaware) traffic
VPN
Branch Office Tunnels

VLAN
VPN Trunk
VLAN Tunnels
tagged or
untagged
traffic
VPN
Tunnels Head Office
SP-side device
(VPN aware: tunnel enpoints)
VLAN
tagged or Advantech Service
untagged Satellite Provider
traffic Network Network
Branch Office

FIGURE 1 LAYER 3 SITE-TO-SITE VPN WITH THE ADVANTECH SATELLITE NETWORK

A common problem when interconnecting multiple Layer 3 VPNs through a shared network such as a
satellite network is that the address space resources used by these VPNs can overlap. This address
space overlap creates an ambiguity on the routing of VPN traffic through the satellite network.

Advantech Satellite Networks offers a solution that allows multiple Head Offices or departments with
overlapping address spaces to communicate with remote Branch Offices through the satellite network.
This solution uses GRE VPN tunnels to encapsulate the VPN traffic between the Service Provider-side
(SP-side) device and the remote-side devices of the satellite network. The GRE tunnels IP addressing

March 2006 Advantech Satellite Networks Proprietary Page 5

 Layer 3 VPN / VLAN
Technical Write-Up

used a reserved address space in the satellite network address space therefore allowing the routing of
VPN traffic through the satellite network without any ambiguity.

FIGURE 2 VPN ADDRESS SPACES MANAGEMENT IN THE ADVANTECH SATELLITE NETWORK

A common technology used by organizations to effectively separate the broadcast domains and the
address spaces of different groups in their network is to create virtual private LANs (VLAN). Using the
Advantech solution presented, customers whishing to interconnect VLANs at separate customer sites
would simply group these VLANs into an 802.1Q VLAN trunk and connect it to the Service Provider-side
of the Advantech Gateway network. Based on the incoming interface, the VLAN ID and the IP destination
address, the VPN traffic is encapsulated into a GRE tunnel and routed to the SIT connected to the
customer’s remote site associated with that VLAN. In case of VPN traffic generated at the remote sites,
the process is the similar except that the SIT performs the GRE encapsulation and the tunneling router
performs the GRE de-encapsulation.

The Advantech Satellite Networks SIT model S4100 has the following functionalities to support Layer 3
VPN / VLAN connectivity:

- GRE encapsulation/de-encapsulation.
- VLAN tagged (trunk) and untagged traffic on the Ethernet port.
- Remote GRE and VLAN configuration by the Network Management System (NMS).

The Layer 3 VPN / VLAN connectivity feature of the SIT S4100 is optional.

The tunneling router functionality located at the SP-side of the Gateway network is offered by a Cisco
2811 Integrated Services Router. This router has the following functionalities to support Layer 3 VPN /
VLAN connectivity:

- GRE encapsulation/de-encapsulation.

March 2006 Advantech Satellite Networks Proprietary Page 6

 Layer 3 VPN / VLAN
Technical Write-Up

- 1 FastEthernet port with VLAN trunking used as the interface to SP-side customer VPNs (with the
option to add a second one).
- 1 FastEthernet port to connect to the Advantech Gateway network.
- Remote GRE and VLAN configuration by the Network Management System (NMS).
- Support enough simultaneous GRE tunnels to service a network with up to 200 SITs member of
VPNs.

In the case where support for more SITs member of VPNs is required, two solutions are possible:

- Multiple Cisco 2811 routers could be used.

- The Cisco 3825 Integrated Services Router could be used. This router can supported up to 400
terminals member of VPNs.

FIGURE 3 CISCO 2811 INTEGRATED SERVICES ROUTER

As mentioned previously, the main goal of this architecture is to isolate customer address spaces to
ensure that there are no address collisions in the Advantech satellite network. In a satellite network where
all traffic is going through GRE tunnels, the only traffic IP addresses used are the tunnels sources and
destination addresses. The tunnels source addresses are configured in the Cisco router and taken from a
reserved subnet. The tunnels destination addresses are the tunnel endpoints IP addresses of the SIT
population. These SIT tunnel endpoints IP addresses could be grouped in one or many subnets
depending on the network topology. Therefore, traffic not belonging to a VPN could be transported as
usual through the satellite network as long as there is no conflict between the IP addresses used by that
non-VPN traffic and the tunnels source and destination IP addresses.

The following figure gives an example how these two types of traffic can coexist.

March 2006 Advantech Satellite Networks Proprietary Page 7

 Layer 3 VPN / VLAN
Technical Write-Up

FIGURE 4 IP ADDRESSES RESOURCE ALLOCATION IN THE SATELLITE NETWORK

The example above shows that the reserved tunnels endpoints IP addresses, from the point of view of the
Cisco GRE routers, are:
- Tunnel source IP subnet 10.1.1.1/24
- Tunnel destination subnet 10.1.2.1/24
- Tunnel destination subnet 10.1.3.1/24

All these IP addresses are reserved for the VPN traffic (GRE encapsulated). In order to avoid IP
addresses conflicts, the administrator of the satellite network must ensure that the IP addresses used by
hosts that are not members of a VPN do not use IP addresses used by the VPN traffic (as it is the case
for the customer C sites in the example above).

March 2006 Advantech Satellite Networks Proprietary Page 8